New version of Skimer ATM malware comes back after several year absence

Trojan allows hackers to make cash withdrawals from ATMs using "magic" cards and also skim card data from users without the need for external hardware.

Tyupkin ATM trojan
Tyupkin ATM trojan

Security researchers have warned that a new variant of the Skimer malware is enabling cyber-criminals to make cash withdrawals from banks' ATMs.

The malware was first discovered in 2009, but has now made a comeback as hackers have updated and used the code in live attacks as late as this month.

The most recent version affects Windows-based ATMs, checking the file system used to install correctly. If it's FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file.

According to Kaspersky, this is done to make forensic analysis more difficult. After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file. This enables the malware to access the number pad and card reader.

Skimer only activates when a special card (Kaspersky dubbed it a “magic” card) is inserted. Special data is written onto the magnetic stripe and depending on the data on Track 2 of the stripe, the malware either displays a user interface on the ATM screen or automatically executes commands on the card.

These commands can enable the attacker to force the machine to dispense banknotes, start collecting details of cards inserted into the machine or to update/uninstall the malware.

"One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate," the Kaspersky researchers said in a blog post.

"Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware."

Kerry Davies, CEO of Abatis, told SCMagazineUK.com that banks can protect against this sort of attack by physically securing the ATM to prevent access to devices that allow malware to be inserted at the ATM.  Lightweight protection software can be installed to prevent illicit use of these I/O devices.

“Good practice in the bank should require separation of duties and two-person-rule control such that it requires collusion on the part of two people to subvert the security of the bank.  Some banks perhaps do not follow such good practice – and recent evidence of the successful attacks against SWIFT funds transfer network show that it is often the weaker banks that act as routes into the secure network – in the same way they could be the weak links that allow malware into the ATM network,” he said.

Oliver Pinson-Roxburgh, SE Director, EMEA at Alert Logic, told SC that due to stringent controls (closed networks) on accessing the ATM OS, a large proportion of the mitigation needs to be on physical access to systems and the levels of permissions assigned to internal resources who support the systems.

“Migrating away from XP is a must as it increases the attack surface area unnecessarily but this has a huge cost implication. I would say that the types of ATMs you see in newsagents are a different story,” he said. 

“I have heard of examples where full ATMs have been replaced with malicious ones, as well as fake ATMs being set up – they are also easy to access. An asset inventory needs to be maintained, as well as regular testing for systems going off and online.” 

Sign up to our newsletters